TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

901

902

903

904

905

906

907

908

909

910

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

908

commonly abbreviated to IE, is a series of graphical web browsers developed by Microsoft and included as part of the

Microsoft Windows line of operating systems starting in 1995. MSIE versions 5.01, 6, 6 SP1, 7 are vulnerable to this

memory corruption vulnerability. By sending an specially crafted image that, when loaded by the target user, will

invoke the 'dxtmsft.dll' ActiveX control and trigger a memory corruption error to execute arbitrary code on the target

system. The code will run with the privileges of the target user. Vendor has provided patches to resolve this issue.

Update the latest version available from vendors web site. Alternatively user can set the kill bit for CLSID 1E54333B-

2A00-11d1-8198-0000F87557DB. This signature detects attacks using PROGID encoded in UTF encoding.

Signature ID: 35255

Microsoft Outlook "mailto:" URI Handling Vulnerability

Threat Level: Severe

Industry ID: CVE-2008-0110

Bugtraq: 28147

Signature Description: Microsoft Outlook or Outlook is a personal information manager from Microsoft, and is part of

the Microsoft Office suite. Although often used mainly as an e-mail application, it also provides a calendar, task and

contact management, note taking, a journal and web browsing. All versions of outlook is vulnerable to this arbitrary

code execution vulnerability. The vulnerability is caused due to an error when handling a specially crafted "mailto:"

URI passed from a web browser. By creating a specially formatted mailto: URI, an attacker may be able to alter the

way that Outlook is invoked in order to allow code execution. The malicious code could be delivered to the victim via a

specially-crafted HTML email message or from a web page controlled by the attacker. Updates are available alternately

user can disable mail to option in the system. Please refer Microsoft security bulletin MS08-015 for update details and

to disable mailto option in vendor’s system.

Signature ID: 35256

HP StorageWorks Storage Mirroring Authentication Processing Stack Overflow Vulnerability

Threat Level: Severe

Industry ID: CVE-2008-1661 CVE-2008-0973 Bugtraq: 27951

Signature Description: HP Storage Mirroring Software provides host-based replication and failover for enterprise and

midrange customers seeking an alternative to fabric or array-based replication. Storage Mirroring Software uses the

absolute minimum bandwidth required to replicate customer data. Advanced features allow a customer to control

bandwidth usage and queue data for replication during off-peak times if desired. HP StorageWorks Storage Mirroring

(SWSM) software version 4.5 is vulnerable to a stack-based buffer overflow This is caused due to improper bounds

checking by the DoubleTake.exe process when handling authentication requests. During the handling of an encoded

authentication request, the process copies the user-supplied login information into a fixed length stack buffer. Sending

at least 256 bytes will trigger a stack based buffer overflow due to a vulnerable processing loop. Exploitation of this

issue can result in arbitrary code execution or cause the application to crash. Update to version 4.5 Service Pack 2,

available from the HP Web site. Please see vendor's advisory for more details. This signature detects attacks on TCP

port 1100.

Signature ID: 35257

HP StorageWorks Storage Mirroring Authentication Processing Stack Overflow Vulnerability

Threat Level: Severe

Industry ID: CVE-2008-1661

CVE-2008-0973 Bugtraq: 27951